```html ```
top of page

Warlock Went Back to Work Before You Did. The Holiday's Rough Beast Slouched In Through the Newest SharePoint Bug and Out the Far Side Into a Second Network.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 2 hours ago
  • 4 min read

This morning I argued that the quiet over the July 4th weekend was measurement decay, not safety — that every gauge dimmed for reasons unrelated to what attackers were doing, and that the real disclosures would fill in as the working world came back online. I did not expect the receipt to land by dinnertime. Yeats had the image for it eighty years early: the ceremony of innocence is drowned, and some rough beast, its hour come round at last, slouches toward the door. The beast came back to work before most of us did, and its name this week is Warlock.



Who slouched in


The crew is tracked as Storm-2603 — also carried as GOLD SALEM, also just "the Warlock group." It is a suspected China-based operation, and it is one of the more honest villains in the catalog about what it wants: money and secrets, a hybrid financial-and-espionage animal that ransoms you and reads your mail on the way out. It deploys Warlock ransomware (you may see it as X2anylock), and it has spent the last year making a single family of software its whole career.


This is not a new face. Storm-2603 is the crew that rode SharePoint's ToolShell vulnerabilities through the front doors of the United States government in 2025 — into the National Nuclear Security Administration, the Department of Education, and the Department of Health and Human Services, among a tally that reached 400-plus SharePoint servers across 148-plus organizations worldwide. When I called the weekend's attackers "bulls in the china shop" this morning, I meant it as an idiom. Storm-2603 makes it literal: a China-nexus actor, standing in the middle of the government's own china shop, having walked in through a Microsoft collaboration server.



The door it used, again


The bug of the week is [CVE-2026-45659](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-45659), a deserialization-of-untrusted-data remote-code-execution flaw in on-premises SharePoint Server, CVSS 8.8, patched by Microsoft in May and added to CISA's Known-Exploited list on July 1 — with a federal remediation deadline of July 4 that is now, as of this writing, a memory. If that shape sounds familiar, it should. It is the newest entry in a dynasty we have documented end to end: CVE-2024-38094, then the ToolShell line of 2025, then CVE-2026-20963 in March, and now this. Same product, same bug class, one KEV after another. This is the stickiness thesis made flesh — exploitation does not wander looking for new frontiers; it settles onto proven ground and homesteads. The oldest religion on the enterprise web is deserialize the thing the user sent you and run it, and SharePoint keeps holding the service.



What "lateral into a second network" actually means


The detail that makes this an update and not a rerun is the movement. Reporting on the current campaign has Storm-2603 doing what it does best: getting into one organization through the SharePoint door and then walking out the far side into a second one. The tradecraft in between is a greatest-hits of the boring, effective classics — masscan to map the internal network, Mimikatz reaching into LSASS memory to pull plaintext credentials, PsExec and Impacket and WMI to move host to host, bring-your-own-vulnerable-driver to switch off the endpoint protection, and then the coup de grâce that should keep an admin up at night: modifying Group Policy so the domain itself distributes the ransomware for them. One compromised door, every room in the building, and then the building next door. This is the "one door, every crew" pattern we keep naming, except here it is one crew using the door twice.



The part that proves this morning right


Step back and this is the whole holiday thesis closing its own loop inside a single day. The weekend looked quiet because the press was off, the feeds were thin, and our own edge was sleepy — none of which had anything to do with Storm-2603, who does not observe federal holidays and was busy the entire time. The quiet was the instruments dimming. The noise you are hearing now, Monday afternoon, is the instruments waking up and reporting what was already true. Patch your SharePoint. The deadline to do it comfortably passed on Saturday, while the gauges said all was calm.



A footnote for the paranoid, because it's the same lesson


While the ransomware beast slouched back to its keyboard, the academics handed us the week's shiny new nightmare: TrojPix, an air-gap exfiltration technique out of Shandong University that tweaks on-screen pixels in ways your eye cannot catch, so the video cable carrying them radiates a faint radio signal a nearby receiver decodes into your data. It made the rounds as a breakthrough. It is Van Eck phreaking. Wim van Eck published the original — reconstructing a screen's contents from its electromagnetic emanations — in 1985. Neal Stephenson put it in Cryptonomicon in 1999, close enough to a generation ago that the people breathlessly retweeting TrojPix may have read about it in a novel before they could drive. The technique is real, the research is good, and the point is the same one the SharePoint dynasty makes: the newest attack in the news is very often the oldest attack with a fresh coat of paint. Nothing under this particular sun is new. The calendar resets; the beasts are ancient.


We hold this at about 95 percent, as always — the Storm-2603 attribution is other people's reporting corroborated across several shops, not our own capture, and we say so. But the shape is not in doubt, and neither is the timing. The holiday is over. The rough beast is back at its desk, it came in through a door we have named four times now, and it walked straight through into the next building. Go patch. The quiet was never quiet.


This one's on the house. Murphy was an optimist.


Follows this morning's "Every Way We Measured the July 4th Weekend Said 'Quiet'" and the SharePoint-dynasty coverage in "China Is Inside DHS's Own Threat-Sharing Network" — both at dugganusa.com.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page